How to lock down external anonymous access SharePoint sites

  • Article

Securing SharePoint and related infrastructure becomes very important for External/Internet websites running on SharePoint 2007 and available to anonymous users. Detailed security guidance for such a scenario is available in the Technet article - Plan security for an external anonymous access environment (Office SharePoint Server).

Lockdown Mode

One of the steps mentioned in the above article is to enable the “Lockdown” mode. Lockdown mode is a feature that you can use to secure published sites. By enabling lockdown mode on a site, you can restrict the permissions for anonymous users.

Permission

Limited access — default

Limited access — lockdown mode

List permissions: View Application Pages

Y

Site permissions: Browse User Information

Y

Y

Site permissions: Use Remote Interfaces

Y

Site permissions: Use Client Integration Features

Y

Y

Site permissions: Open

Y

Y

When lockdown mode is turned on, fine-grain permissions for the limited access permission level are reduced. It is applied to sites under the following circumstances:

  • The Stsadm.exe command-line tool is used to turn lockdown mode on.
  • The Publishing Portal site template is applied to the site collection. By default, lockdown mode is turned on when this template is applied.

For more information about lockdown mode in SharePoint 2007, see the "Use lockdown mode" section in article linked above.

What else needs to be done?

Even when lockdown mode is enabled, anonymous users can still access certain SharePoint Server application URLs, such as pages in the _layouts directory and Web services that are exposed in the _vti_bin directory. So, to increase security, you should enable lockdown mode and also modify the Web.config file.

The article - Locking down Office SharePoint Server sites describes how to modify the Web.config file to restrict access to these additional resources. Sample XML from the article, showing what XML statements to add to the Web.config file are pasted below:

<?xml version="1.0" encoding="utf-8" ?>

<actions>

  <add path="configuration">

    <location path="_layouts">

      <system.web>

        <authorization>

          <deny users="?" />

        </authorization>

      </system.web>

    </location>

    <location path="_vti_bin">

      <system.web>

        <authorization>

          <deny users="?" />

        </authorization>

      </system.web>

    </location>

    <location path="_layouts/login.aspx">

      <system.web>

        <authorization>

          <allow users="?" />

        </authorization>

      </system.web>

    </location>

    <location path="_layouts/error.aspx">

      <system.web>

        <authorization>

          <allow users="?" />

        </authorization>

      </system.web>

    </location>

    <location path="_layouts/accessdenied.aspx">

      <system.web>

        <authorization>

          <allow users="?" />

        </authorization>

      </system.web>

    </location>

  </add>

</actions> 

Based on your specific requirements of giving anonymous users access to specified pages in the _layouts directory and/or services in the _vti_bin directory, you can modify the XML accordingly and follow deployment process given in How To: Add Custom Configuration Settings to Extend a Web Application article.